The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
References
Link | Resource |
---|---|
http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html | Exploit Third Party Advisory |
https://ecosystem.atlassian.net/browse/OAUTH-344 | Issue Tracking Vendor Advisory |
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3 | Broken Link Third Party Advisory |
https://twitter.com/Zer0Security/status/983529439433777152 | Exploit Third Party Advisory |
https://twitter.com/ankit_anubhav/status/973566620676382721 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: atlassian
Published: 2017-05-31T00:00:00
Updated: 2018-04-10T06:57:01
Reserved: 2017-06-07T00:00:00
Link: CVE-2017-9506
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-08-23T19:29:00.197
Modified: 2019-05-10T15:22:38.517
Link: CVE-2017-9506
JSON object: View
Redhat Information
No data.
CWE